A CSIRT Process Model for Improving Information Sharing & Knowledge Capture in Cybersecurity
US‐CERT
Tom Millar
November 2010
thomas.millar@us‐cert.gov
Problem
Information sharing is a priority for all cyber security organizations – not only between internal functional groups, but externally with partners both public and private, at home and abroad.
However, increased information sharing is of little benefit without a shared perspective and vocabulary among the participants.
US‐CERT
Starting Point: Howard & Longstaff
This 7‐part taxonomy appears in “A Common Language for Computer Security Incidents” from 1998, by John Howard & Tom Longstaff, published by Sandia National Labs.
US‐CERT
One Implementation: The IODEF
• Tool and Vulnerability become Method
• Action becomes EventData
• Target is part of both Contact (the PoC) and EventData (the system)
• Unauthorized Result becomes Assessment
5 of the 7 parts from Howard & Longstaff’s taxonomy were adopted as data element classes in the IETF’s Incident Object Definition Exchange Format, an XML schema for cyber incident reporting.
US‐CERT
Map Taxonomy to Process
Coordinate
Detect
Action
EventData
Target
Contact/ System
Assess
Analyze
Result
Impact
Tool/Vuln
Method
US‐CERT
…and Rediscover the OODA Loop
Detect – Coordinate & Analyze – Assess…
That’s Nice, But: Now what?
US‐CERT
Extending the Loop:
Detect – Coordinate – Analyze – Assess
Action
EventData
A
O
Action
EventData
Target
Contact/ System
D
O
Tool/Vuln
Method
Target
Contact/ System
O
D
Tool/Vuln
Method
Result
Impact
O
A
Result
Impact
Monitor – Mitigate – Determine – Confirm
Chaining two “OODA” loops together gives us a better picture of a complete incident management process from identification to recovery, and most importantly, using the same language throughout
US‐CERT
Extending the Data Model:
Detect – Coordinate – Analyze – Assess
Action:
CEE
IDMEF
IPFIX
Target:
CPE
CCE
XCCDF
OCIL
ARF
Tool/Vuln:
CVE, CWE
CAPEC
MAEC
OVAL
OpenIOC
IEEE ICSG
Result:
ARF/
IODEF?
Monitor – Mitigate – Determine – Confirm
Existing and emerging specifications could be wrapped in a larger IODEF document type – when completely “filled out” in the course of the process loop, we begin capturing more and more reusable knowledge
US‐CERT
Organizational Challenges:
John Bodnar’s “Warning Analysis For The Information Age” describes how nested or chained OODA loops function in organizations.
In the above example, “Intelligence” might be a CERT/CSIRT/SOC; “Operations” then becomes the NOC/ITS team. Patch this! Block that!
US‐CERT
Differences in Octave/Register
Ops
DeciHz (Fractions of Minutes)
IT/Sec
MilliHz
(Minutes to Hours)
Mgmt
MicroHz
(Hours to Days)
Policy
NanoHz
(Days to Months)
Each layer in an organization has their own loop frequencies. Business Ops act at Push‐To‐Talk speed; IT & Security act at E‐mail speed; Management & Policy may act at Memorandum speed or slower!
US‐CERT
Conclusions
Detect – Coordinate – Analyze – Assess
Action
EventData
A
O
Action
EventData
Target
Tool/Vuln
Contact/ Method
System O
D
D
Result
Impact
O
O
Target
Tool/Vuln
Contact/ Method
System
Ops
DeciHz (Fractions of Minutes)
IT/Sec
MilliHz
(Minutes to Hours)
Mgmt
MicroHz
(Hours to Days)
Policy
NanoHz
(Days to Months)
A
Result
Impact
Monitor – Mitigate – Determine – Confirm
For information sharing to be minimally useful, we have to speak a common language (a language is more than a vocabulary).
For information sharing to be optimal, we have to understand how each part of that language plays its role in the greater cyber security process: incident identification, mitigation, recovery, knowledge capture and ‐
eventually ‐ developing safer code and protocols.
US‐CERT